gpt4 book ai didi

amazon-web-services - 弹性 beantalk 检索 S3 文件时权限被拒绝

转载 作者:行者123 更新时间:2023-12-03 22:51:11 25 4
gpt4 key购买 nike

我有文件存储在 S3 上并写了 .ebextensions配置以自动将它们复制到新实例。我在 Elastic Beanstalk 控制台中收到此错误:

[Instance: INSTANCEID Module: AWSEBAutoScalingGroup ConfigSet: null] Command failed on instance. Return code: 1 Output: [CMD-AppDeploy/AppDeployStage0/EbExtensionPreBuild] command failed with error code 1: Error occurred during build: Failed to retrieve https://s3-us-west-1.amazonaws.com/MyBucket/MyFolder/_MyFile.txt: HTTP Error 403 : AccessDenied



我的 .ebextension 配置文件有这个部分:
files:
"/target/file/path" :
mode: "000777"
owner: ec2-user
group: ec2-user
source: https://s3-us-west-1.amazonaws.com/_MyBucket_/_MyFolder_/_MyFile.txt

在尝试使此文件复制工作时,我还通过为弹性 beanstalk IAM 角色提供对所有 S3 的标准只读访问策略来放宽权限。它的政策是这样的:
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "*"
}

然而,预构建复制步骤仍然失败。我是否以正确的格式提供了源网址?是否涉及其他安全实体/策略?请帮忙 :)

最佳答案

该文档对这个主题非常粗略(可能是 StackExchange Docs 的理想候选者!)。

要使用 .ebextensions 正确执行此操作,您需要在存储桶策略中允许 Beanstalk 实例 IAM 用户,设置 AWS::CloudFormation::Authentication: 身份验证配置并将配置附加到远程源。这是所有其他答案的混合体,但对我来说都以某种方式失败了。

假设您的 IAM 实例角色是 aws-elasticbeanstalk-ec2-role :

  • 设置您的 AWS 存储桶以允许 Beanstalk IAM 用户。编辑“存储桶策略”:
    {
    "Version": "2012-10-17",
    "Id": "BeanstalkS3Copy",
    "Statement": [
    {
    "Sid": "",
    "Effect": "Allow",
    "Principal": {
    "AWS": "<beanstalk_iam_role_arn>"
    },
    "Action": [
    "s3:ListBucketVersions",
    "s3:ListBucket",
    "s3:GetObjectVersion",
    "s3:GetObject"
    ],
    "Resource": [
    "arn:aws:s3:::<bucket_name>",
    "arn:aws:s3:::<bucket_name>/*"
    ]
    }
    ]
    }

    在哪里:

    beanstalk_iam_role_arn = the fully qualified instance IAMs role. See "IAM role" associated with a running instance if available or see environment configuration. Example: arn:aws:iam::12345689:role/aws-elasticbeanstalk-ec2-role

    bucket_name = your bucket name

  • 在您的 .ebextension/myconfig.config 中,添加一个使用您的 IAM 实例用户的 S3 身份验证块:
    Resources:
    AWSEBAutoScalingGroup:
    Metadata:
    AWS::CloudFormation::Authentication:
    S3Auth:
    type: "s3"
    buckets: ["bucket_name"]
    roleName:
    "Fn::GetOptionSetting":
    Namespace: "aws:asg:launchconfiguration"
    OptionName: "IamInstanceProfile"
    DefaultValue: "aws-elasticbeanstalk-ec2-role"

    Set bucket_name appropriately

  • 定义远程文件并附加 S3 身份验证块:
    "/etc/myfile.txt" :
    mode: "000400"
    owner: root
    group: root
    authentication: "S3Auth" # Matches to auth block above.
    source: https://s3-eu-west-1.amazonaws.com/mybucket/myfile.txt

    Set your source URL appropriately

  • 关于amazon-web-services - 弹性 beantalk 检索 S3 文件时权限被拒绝,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/26394673/

    25 4 0
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com